Admission Controllers

Overview

Admission control plug-ins intercept requests to the master API prior to
persistence of a resource, but after the request is authenticated and
authorized.

Each admission control plug-in is run in sequence before a request is accepted
into the cluster. If any plug-in in the sequence rejects the request, the entire
request is rejected immediately, and an error is returned to the end-user.

Admission control plug-ins may modify the incoming object in some cases to apply
system configured defaults. In addition, admission control plug-ins may modify
related resources as part of request processing to do things such as
incrementing quota usage.

The OpenShift Container Platform master has a default list of plug-ins that are enabled by
default for each type of resource (Kubernetes and OpenShift Container Platform). These are
required for the proper functioning of the master. Modifying these lists is not
recommended unless you strictly know what you are doing. Future versions of the
product may use a different set of plug-ins and may change their ordering. If
you do override the default list of plug-ins in the master configuration file,
you are responsible for updating it to reflect requirements of newer versions of
the OpenShift Container Platform master.

General Admission Rules

Starting in
3.3,
OpenShift Container Platform uses a single admission chain for Kubernetes and OpenShift Container Platform
resources. This changed from
3.2,
and before where we had separate admission chains. This means that the top-level
admissionConfig.pluginConfig element can now contain the admission plug-in
configuration, which used to be contained in
kubernetesMasterConfig.admissionConfig.pluginConfig.

The kubernetesMasterConfig.admissionConfig.pluginConfig should be moved and
merged into admissionConfig.pluginConfig.

Also, starting in
3.3,
all the supported admission plug-ins are ordered in the single chain for you.
You should no longer set admissionConfig.pluginOrderOverride or the
kubernetesMasterConfig.admissionConfig.pluginOrderOverride. Instead, you
should enable plug-ins that are off by default by either adding their
plug-in-specific configuration, or adding a DefaultAdmissionConfig stanza
like this:

Indicates that a plug-in should be enabled. It is optional and shown here only for reference.

Setting disable to true will disable an admission plug-in that defaults to on.

Admission plug-ins are commonly used to help enforce security on the API server.
Be careful when disabling them.

If you were previously using admissionConfig elements that cannot be safely
combined into a single admission chain, you will get a warning in your API
server logs and your API server will start with two separate admission chains
for legacy compatibility. Update your admissionConfig to resolve the
warning.

Customizable Admission Plug-ins

Cluster administrators can configure some admission control plug-ins to control
certain behavior, such as: